Menu Close

Feelgood Sicily is design-led, heritage-rooted, quality-driven, comfort-first.
Enjoy la dolce vita – simply check availability and book directly.

hello@feelgood-sicily.comhello@feelgood-sicily.com

Privacy
Policy

Preamble

With this Privacy Policy, we inform you about the types of your personal data (hereinafter also referred to as "data") that we process, the purposes for which we process them, and the extent of such processing. This Privacy Policy applies to all processing of personal data carried out by us, both in the course of providing our services and, in particular, on our websites, within mobile applications, and on external online presences such as our social media profiles (hereinafter collectively referred to as the "online offering").

The terminology used in this Privacy Policy is gender-neutral.

Last updated: 1 March 2026

Table of Contents

Controller

FEELGOOD SICILY

Anke Didier & Sebastian Dreßen
Via Mazzini 27 - 97014 Ispica, RG - Italy

Email address: hello@feelgood-sicily.com

Legal notice: https://feelgood-sicily.com/imprint/

Overview of Processing Activities

The following overview summarises the types of personal data processed, the purposes of their processing, and refers to the categories of data subjects concerned.

Types of Data Processed

  • Identity data.
  • Employment data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and procedural data.
  • Image and/or video recordings.
  • Audio recordings.
  • Contact information (Facebook).
  • Event data (Facebook).
  • Log data.

Special Categories of Data

  • Health data.

Categories of Data Subjects

  • Service recipients and clients.
  • Employees.
  • Prospective customers and enquirers.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Tenants.
  • Individuals depicted in images or videos.
  • Third parties.
  • Customers.

Purposes of Processing

  • Provision of contractual services and fulfilment of contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Reach measurement and analytics.
  • Tracking.
  • Office and organisational procedures.
  • Remarketing.
  • Conversion tracking.
  • Audience targeting.
  • Affiliate tracking.
  • A/B testing.
  • Administrative and organisational management.
  • Feedback collection.
  • Marketing.
  • Creation of user-related profiles.
  • Provision and optimisation of our online offering.
  • IT infrastructure.
  • Financial and payment management.
  • Public relations.
  • Sales promotion.
  • Business processes and economic operations.
  • Artificial Intelligence (AI).

Legal Bases for Processing

Legal bases under the UK GDPR and EU GDPR: Below you will find an overview of the legal bases on which we process personal data. Please note that, in addition to the provisions of the UK GDPR and, where applicable, the EU GDPR, national data protection laws in your country of residence or our place of establishment may apply. Should more specific legal bases be relevant in individual cases, we will inform you accordingly in this Privacy Policy.

  • Consent (Article 6(1)(a) UK GDPR / EU GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Article 6(1)(c) UK GDPR / EU GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection provisions in Germany: In addition to the UK GDPR and EU GDPR, national data protection provisions may apply, including the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG), which contains supplementary provisions, in particular regarding rights of access, erasure, objection, the processing of special categories of personal data, processing for other purposes, data transfers and automated decision-making including profiling.

Applicable legal bases under the Swiss Federal Act on Data Protection (FADP): If you are located in Switzerland, we process your data in accordance with the Swiss Federal Act on Data Protection (FADP). Unlike the UK GDPR and EU GDPR, the FADP does not generally require a specific legal basis to be stated for processing, provided that personal data is processed in good faith, lawfully and proportionately (Article 6(1) and (2) FADP). Personal data is collected for a specific purpose that is recognisable to the data subject and processed only in a manner compatible with that purpose (Article 6(3) FADP).

Note on the applicability of the UK GDPR, EU GDPR and Swiss FADP: This Privacy Policy serves to provide information both under the Swiss FADP and under the UK GDPR and EU GDPR. For reasons of clarity and broader territorial applicability, the terminology of the UK GDPR and EU GDPR is primarily used. Where Swiss-specific terminology differs, its legal meaning shall be determined in accordance with the Swiss FADP where applicable.

National data protection provisions in Italy: In Italy, data protection is supplemented by the Italian Data Protection Code (Codice in materia di protezione dei dati personali).

Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to data, as well as access, input, disclosure, availability and separation of data. Furthermore, we have established procedures to ensure the exercise of data subject rights, the erasure of data and responses to data protection incidents. We also take the protection of personal data into account during the development and selection of hardware, software and procedures in accordance with the principles of data protection by design and by default.

Protection of online connections through TLS/SSL encryption (HTTPS): To protect the data of users transmitted via our online services from unauthorised access, we use TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are essential technologies for secure data transmission on the internet. These technologies encrypt the information transmitted between a website or application and the user’s browser (or between servers), thereby protecting the data from unauthorised access. The use of HTTPS in the URL indicates that data transmission is encrypted and secure.

Disclosure of Personal Data

In the course of processing personal data, it may be disclosed or transferred to other entities, companies, legally independent organisational units or individuals. Recipients of such data may include, for example, service providers entrusted with IT-related tasks or providers of services and content integrated into our website. In such cases, we comply with the applicable legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to ensure the protection of your personal data.

Data transfers within the corporate group: We may transfer personal data to other companies within our corporate group or grant them access to such data. Such transfers are based on our legitimate business and economic interests. These include, for example, the improvement of business processes, ensuring efficient and effective internal communication, the optimal use of human and technological resources, and the ability to make informed business decisions. In certain cases, data transfers may also be necessary for the performance of contractual obligations or may be based on the data subject’s consent or a statutory authorisation.

Data transfers within the organisation: We may transfer personal data to other departments or organisational units within our organisation or grant them access to such data. Where data is transferred for administrative purposes, this is based on our legitimate business and economic interests, or, where necessary, for the performance of contractual obligations, or where the data subject has provided consent or where there is a statutory authorisation.

International Data Transfers

Processing in third countries: Where we transfer personal data to a third country (i.e. a country outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in the context of using third-party services or disclosing or transferring data to other persons, entities or companies (as may be apparent from the provider’s postal address or where expressly indicated in this Privacy Policy), such transfers are carried out in compliance with the applicable legal requirements.

For transfers of data to the United States, we primarily rely on the EU–US Data Privacy Framework (DPF), which has been recognised as providing an adequate level of protection by adequacy decision of the European Commission dated 10 July 2023. In addition, we have concluded Standard Contractual Clauses (SCCs) with the relevant providers in accordance with the requirements of the European Commission, establishing contractual obligations to protect your personal data.

This dual safeguard ensures a comprehensive level of protection: the DPF serves as the primary safeguard, while the Standard Contractual Clauses provide an additional protective mechanism. Should there be changes to the DPF framework, the Standard Contractual Clauses will operate as a reliable fallback mechanism to ensure continued protection of your personal data.

For each service provider, we inform you whether they are certified under the DPF and whether Standard Contractual Clauses are in place. Further information about the DPF and a list of certified organisations can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/.

For transfers to other third countries, appropriate safeguards apply, in particular Standard Contractual Clauses, explicit consent or legally required transfers. Information on international transfers and adequacy decisions can be obtained from the European Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

Disclosure of personal data abroad under Swiss law: In accordance with the Swiss Federal Act on Data Protection (FADP), we disclose personal data abroad only where an adequate level of protection for data subjects is ensured (Article 16 FADP). If the Swiss Federal Council has not recognised an adequate level of protection (list available at: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement appropriate alternative safeguards.

For data transfers to the United States, we primarily rely on the Swiss–US Data Privacy Framework (DPF), recognised by adequacy decision of Switzerland dated 15 September 2024. In addition, we have concluded Standard Data Protection Clauses approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC), which establish contractual obligations for the protection of your personal data.

This dual safeguard ensures a comprehensive level of protection: the DPF constitutes the primary safeguard, while the Standard Data Protection Clauses provide additional protection. Should changes occur within the DPF framework, the Standard Data Protection Clauses serve as a reliable fallback mechanism.

For each service provider, we inform you whether they are certified under the DPF and whether Standard Data Protection Clauses are in place. A list of certified organisations and further information can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/.

For transfers to other third countries, appropriate safeguards apply, including international agreements, specific guarantees, Standard Data Protection Clauses approved by the FDPIC, or binding corporate rules recognised by the FDPIC or another competent supervisory authority.

General Information on Data Retention and Erasure

We erase personal data processed by us in accordance with the statutory provisions as soon as the underlying consent is withdrawn or no further legal basis for processing exists. This applies where the original purpose of processing no longer applies or the data is no longer required. Exceptions apply where statutory obligations or overriding legitimate interests require longer retention or archiving.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for the establishment, exercise or defence of legal claims, must be archived accordingly.

Our Privacy Policy contains additional information regarding retention and erasure periods that apply specifically to certain processing activities.

Where multiple retention periods apply, the longest period shall prevail. Data retained beyond the original purpose due to statutory obligations or other legal reasons will be processed solely for the reasons justifying such retention.

Retention and erasure of data under German law: The following general retention periods apply:

  • 10 years – Retention period for books and records, annual financial statements, inventories, management reports, opening balance sheets and the necessary organisational documentation (§ 147 AO, § 14b UStG, § 257 HGB).
  • 8 years – Accounting documents such as invoices and expense receipts (§ 147 AO, § 257 HGB).
  • 6 years – Other business documents, including commercial correspondence and tax-relevant documentation (§ 147 AO, § 257 HGB).
  • 3 years – Data necessary for considering potential warranty and damages claims or similar contractual rights and processing related enquiries, corresponding to the regular statutory limitation period (§§ 195, 199 BGB).

Retention and erasure of data under Swiss law: The following general retention periods apply:

  • 10 years – Retention period for books and records, financial statements, inventories, accounting documents and related organisational documentation (Article 958f Swiss Code of Obligations (CO)).
  • 10 years – Data necessary for the consideration of potential damages claims or similar contractual rights, subject to statutory limitation periods under Articles 127 and 130 CO. Certain claims are subject to a five-year limitation period pursuant to Article 128 CO.

Commencement of limitation periods: Where a retention period does not explicitly begin on a specific date and is at least one year in duration, it shall commence automatically at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships under which data is stored, the triggering event is the effective termination or other ending of the contractual relationship.

Data Subject Rights

Rights of data subjects under the UK GDPR and EU GDPR: As a data subject, you have various rights, in particular those arising from Articles 15 to 21 UK GDPR / EU GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) UK GDPR / EU GDPR; this also applies to profiling based on these provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is related to such direct marketing.
  • Right to withdraw consent: You have the right to withdraw consent at any time.
  • Right of access: You have the right to request confirmation as to whether personal data concerning you is being processed and, where that is the case, access to the personal data and further information, as well as a copy of the data in accordance with the applicable legal requirements.
  • Right to rectification: You have the right, in accordance with the applicable legal requirements, to request the completion of incomplete personal data concerning you or the correction of inaccurate personal data concerning you.
  • Right to erasure and restriction of processing: You have the right, subject to the applicable legal requirements, to request the erasure of personal data concerning you without undue delay and, alternatively, to request restriction of processing of the data.
  • Right to data portability: You have the right to receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format, or to request that it be transmitted to another controller, in accordance with the applicable legal requirements.
  • Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular in the country where you usually reside, your place of work, or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the UK GDPR / EU GDPR.

Rights of data subjects under the Swiss Federal Act on Data Protection (FADP):

As a data subject, you have the following rights in accordance with the Swiss FADP:

  • Right of access: You have the right to request confirmation as to whether personal data relating to you is being processed and to receive the information necessary to exercise your rights under the Swiss FADP and to ensure transparent data processing.
  • Right to data release or transfer: You have the right to request the release of your personal data that you have provided to us in a commonly used electronic format.
  • Right to rectification: You have the right to request correction of inaccurate personal data relating to you.
  • Right to object, erasure and destruction: You have the right to object to the processing of your data and to request that personal data relating to you be erased or destroyed.

Business Services

We process personal data of our contractual and business partners, such as customers, clients, prospective customers, suppliers and other cooperation partners (collectively “contractual partners”), for the initiation, performance and administration of contractual relationships and comparable legal relationships. This also includes pre-contractual measures taken at the request of the data subject, as well as communication in connection with the relevant contractual relationship.

Processing serves in particular to fulfil our primary and ancillary contractual obligations. This includes providing the agreed services, any update and information obligations, handling warranty claims and other performance issues, processing withdrawals, terminations of continuing obligations, reversals, refunds, and handling other contract-related declarations and enquiries. This covers both one-off contracts and ongoing contractual relationships.

In particular, we process master data such as name, address and, where applicable, company, contact details such as email address and telephone number, contract and service data such as the subject matter of the contract, contract term, order or transaction number, usage and service data, payment and billing data, as well as communication content and histories. Where necessary, we also process data disclosed or transmitted to us in the course of carrying out an assignment.

In addition, we process data to protect our rights and to comply with legal obligations. This includes, in particular, commercial and tax-law retention obligations, documentation obligations and, where applicable, evidence and accountability obligations. Processing may also take place on the basis of our legitimate interests in proper business management, internal administration, risk management and IT security, as well as in protecting our business operations and our contractual partners against misuse, risks to data, confidential information and other protected legal interests. This may also include engaging external service providers such as IT and telecommunications providers, transport and logistics companies, payment service providers, banks, tax advisers and legal advisers or other processors/subcontractors, where necessary for contract performance or for compliance with legal obligations.

Personal data is disclosed to third parties only insofar as this is necessary for performance of the contract, pre-contractual measures, the pursuit of legitimate interests, or compliance with legal obligations. We provide separate information within this Privacy Policy regarding any further processing, in particular for marketing purposes.

Which data is required in the individual case will be communicated to contractual partners at the time of collection, for example via appropriate marking in online forms or during personal contact.

Data is erased as soon as it is no longer required for the above purposes and no statutory retention obligations prevent erasure. Statutory retention periods, in particular under commercial and tax law, may require longer storage. Data transmitted in connection with a specific assignment will be erased after completion of the assignment and expiry of any retention periods, provided that no further statutory or contractual storage obligations apply.

The legal basis for processing is Article 6(1)(b) UK GDPR / EU GDPR for pre-contractual measures and performance of the relevant contractual relationship, and Article 6(1)(c) UK GDPR / EU GDPR for compliance with legal obligations. Where processing is based on legitimate interests, it is carried out on the basis of Article 6(1)(f) UK GDPR / EU GDPR. Where processing relies on Article 6(1)(f) UK GDPR / EU GDPR, it is undertaken to safeguard our legitimate interests in proper and efficient business organisation, internal administration and documentation of business transactions, the establishment, exercise or defence of legal claims, ensuring IT and data security, preventing misuse and fraud, and the economic management and development of our business operations. These interests exist in particular in ensuring secure and legally compliant operations and safeguarding our ability to operate as a business.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter, term, customer category).
  • Special categories of personal data: Health data.
  • Data subjects: Service recipients and clients; prospective customers and enquirers; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; administrative and organisational management; business processes and economic operations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legal obligation (Article 6(1)(c) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Hospitality, hotel and accommodation services: We process information provided by our guests, visitors and enquirers (collectively “guests”) in order to provide accommodation and related tourism or hospitality services and to invoice services provided.

    In the course of providing our services, it may be necessary to process special categories of personal data within the meaning of Article 9(1) UK GDPR / EU GDPR, in particular information relating to a person’s health or information relating to religious beliefs. Processing is carried out to protect guests’ health interests (e.g. in the case of information about allergies) or otherwise to meet their physical or mental needs at their request and with their consent.

    Where necessary for contract performance or required by law, where guests have consented, or on the basis of our legitimate interests, we may disclose or transfer guests’ data, for example, to service providers involved in delivering our services or to authorities, billing bodies, and providers in the IT, office or comparable service sectors; Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR).

Business Processes and Procedures

Personal data of service recipients and clients – including customers, clients or, in specific cases, mandate holders, patients or business partners, as well as other third parties – is processed in the context of contractual and comparable legal relationships and pre-contractual measures such as initiating business relationships. This data processing supports and facilitates operational processes in areas such as customer management, sales, payments, accounting and project management.

The collected data is used to fulfil contractual obligations and to organise business processes efficiently. This includes handling business transactions, managing customer relationships, optimising sales strategies, and ensuring internal accounting and financial processes. In addition, the data supports the protection of the controller’s rights and assists administrative tasks and organisational management.

Personal data may be disclosed to third parties where necessary to achieve the stated purposes or to comply with legal obligations. Once statutory retention periods expire, or where the purpose of processing no longer applies, data will be erased. This includes data that must be retained for longer periods due to tax and statutory documentation obligations.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship and creation time); contract data (e.g. subject matter, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); log data (e.g. log files relating to logins, retrieval of data or access times).
  • Data subjects: Service recipients and clients; prospective customers and enquirers; communication partners; business and contractual partners; customers; third parties; users (e.g. website visitors, users of online services); employees (e.g. staff, applicants, temporary workers and other personnel).
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and economic operations; security measures; provision of our online offering and user-friendliness; communication; marketing; sales promotion; public relations; financial and payment management; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)).
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); legal obligation (Article 6(1)(c) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Customer management and Customer Relationship Management (CRM): Procedures required in the context of customer management and CRM (e.g. customer acquisition in compliance with data protection requirements, measures to promote customer retention and loyalty, effective customer communication, complaints handling and customer service with due regard to data protection, data management and analysis to support customer relationships, administration of CRM systems, secure account management, customer segmentation and audience targeting); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Contact administration and relationship maintenance: Procedures required to organise, maintain and safeguard contact information (e.g. setting up and maintaining a central contact database, regular updates of contact information, monitoring data integrity, implementing data protection measures, ensuring access controls, backups and restore procedures, training staff in effective use of contact management software, reviewing communication history and adapting contact strategies); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Customer account: Customers can create an account within our online offering (e.g. customer/user account, “customer account”). Where registration is required, customers will be informed accordingly as well as of the information required for registration. Customer accounts are not public and cannot be indexed by search engines. In the course of registration and subsequent logins and use of the customer account, we store customers’ IP addresses and access times to evidence registration and to prevent misuse of the customer account. If the customer account is terminated, the data will be erased after the termination takes effect, unless it is retained for purposes other than providing the customer account or must be retained for legal reasons (e.g. internal storage of customer data, orders or invoices). It is the customer’s responsibility to back up their data before terminating the customer account; Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • General payment transactions: Procedures required for carrying out payment transactions, monitoring bank accounts and controlling payment flows (e.g. preparing and checking bank transfers, processing direct debits, checking account statements, monitoring incoming and outgoing payments, managing chargebacks, account reconciliation, cash management); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Accounting, accounts payable, accounts receivable: Procedures required for recording, processing and monitoring business transactions in accounts payable and receivable (e.g. preparing and checking incoming and outgoing invoices, monitoring and managing outstanding items, carrying out payments, dunning processes, reconciliation of receivables and liabilities); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legal obligation (Article 6(1)(c) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Financial accounting and taxes: Procedures required for recording, managing and monitoring financially relevant business transactions and for calculating, reporting and paying taxes (e.g. allocating and posting business transactions, preparing quarterly and annual accounts, conducting payment transactions, dunning processes, account reconciliation, tax advice, preparing and submitting tax returns, tax administration); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legal obligation (Article 6(1)(c) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Marketing, advertising and sales promotion: Procedures required for marketing, advertising and sales promotion (e.g. market analysis and audience definition, development of marketing strategies, planning and running advertising campaigns, creation and production of marketing materials, online marketing including SEO and social media campaigns, event marketing and trade fairs, customer loyalty programmes, sales promotion measures, performance measurement and optimisation of marketing activities, budget management and cost control); Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Business analytics and market research: For business purposes and to identify market trends and the needs of contractual partners and users, the available data on business transactions, contracts, enquiries, etc. is analysed. The categories of data subjects may include contractual partners, prospective customers, customers, visitors and users of the controller’s online offering. Analyses are carried out for business evaluation, marketing and market research purposes (e.g. identifying customer groups with different characteristics). Where available, profiles of registered users and information about services used may be considered. Analyses are carried out solely for the controller and are not disclosed externally, unless they are anonymous analyses with aggregated (i.e. anonymised) values. Users’ privacy is respected; data is, where possible, processed in a pseudonymised and, if feasible, anonymised form (e.g. aggregated data); Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Public relations: Procedures required for public relations (e.g. developing and implementing communication strategies, planning and running PR campaigns, preparing and distributing press releases, maintaining media contacts, monitoring and analysing media coverage, organising press conferences and public events, crisis communications, creating content for social media and corporate websites, corporate branding support); Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Guest Wi-Fi: Procedures required to set up, operate, maintain and monitor a wireless network for guests (e.g. installation and configuration of Wi-Fi access points, creation and management of guest access, monitoring network connectivity, ensuring network security, troubleshooting, updating network software, compliance with data protection requirements); Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legal obligation (Article 6(1)(c) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Use of Online Platforms for Sales and Distribution Purposes

We offer our services on online platforms operated by other service providers. In this context, in addition to our Privacy Policy, the privacy notices of the respective platforms apply. This applies in particular with regard to payment processing and the procedures used on the platforms for reach measurement and interest-based marketing.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation).
  • Data subjects: Service recipients and clients; business and contractual partners; prospective customers and enquirers; tenants; communication partners.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; marketing; business processes and economic operations; conversion tracking (measuring the effectiveness of marketing activities); provision of our online offering and user-friendliness; affiliate tracking; communication; office and organisational procedures; administrative and organisational management.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Airbnb: Letting and booking of accommodation, experiences and activities; reservation management; communication between hosts and guests; payment processing; Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.airbnb.de. Privacy policy: https://www.airbnb.de/help/article/2855/datenschutzerklärung.
  • Booking.com Partner Programme: Affiliate marketing partner programme; Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.booking.com. Privacy policy: https://www.booking.com/content/privacy.de.html.
  • Smoobu: Booking management, calendar synchronisation across channels, invoicing, guest communication, provision of a booking portal and analysis of rental data; Service provider: Smoobu GmbH, Wönnichstr. 68/70, 10317 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/; Privacy policy: https://www.smoobu.com/de/datenschutz/. Data processing agreement: Provided by the service provider.
  • Smoobu: Booking platform and CRM system for communication with guests. It enables accommodation providers to manage availability and prices, receive bookings and communicate with guests. It also supports automatic synchronisation with various online booking portals and allows effective communication via channels such as email or messaging services. The tool facilitates the overall booking process and improves the efficiency of accommodation management; Service provider: Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany; Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/. Privacy policy: https://www.smoobu.com/de/datenschutz/.

Service Providers and Services Used in the Course of Our Business Activities

In the course of our business activities, and in compliance with the applicable legal requirements, we use additional services, platforms, interfaces or plug-ins provided by third parties (collectively “services”). Their use is based on our interests in the proper, lawful and economically efficient operation of our business and internal organisation.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); contract data (e.g. subject matter, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Service recipients and clients; prospective customers and enquirers; business and contractual partners; communication partners; tenants.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; business processes and economic operations; communication; administrative and organisational management; provision of our online offering and user-friendliness; conversion tracking (measuring the effectiveness of marketing activities); marketing; affiliate tracking.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • n8n: Workflow automation, connecting applications and services, routing and processing data between systems, scheduling time-based processes, transforming and formatting data (e.g. converting file formats), monitoring and event-based notifications; Service provider: N8n GmbH, Novalisstr. 10, 10115 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://n8n.io/; Privacy policy: https://n8n.io/legal/privacy; Data processing agreement: https://n8n.io/legal. Safeguards for international transfers: EU/EEA – Standard Contractual Clauses; Switzerland – Standard Contractual Clauses (see: https://n8n.io/legal).
  • sevDesk: Online software for invoicing, accounting, banking and tax filing with document storage; Service provider: sevDesk GmbH, Hauptstraße 115, 77652 Offenburg, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://sevdesk.de/; Privacy policy: https://sevdesk.de/datenschutz/. Data processing agreement: https://sevdesk.de/datenschutz/.
  • Smoobu: Booking management, calendar synchronisation across channels, invoicing, guest communication, provision of a booking portal and analysis of rental data; Service provider: Smoobu GmbH, Wönnichstr. 68/70, 10317 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/; Privacy policy: https://www.smoobu.com/de/datenschutz/. Data processing agreement: Provided by the service provider.
  • Smoobu: Booking platform and CRM system for communication with guests. It enables accommodation providers to manage availability and prices, receive bookings and communicate with guests. It also supports automatic synchronisation with various online booking portals and allows effective communication via channels such as email or messaging services. The tool facilitates the overall booking process and improves the efficiency of accommodation management; Service provider: Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany; Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/. Privacy policy: https://www.smoobu.com/de/datenschutz/.
  • Airbnb: Letting and booking of accommodation, experiences and activities; reservation management; communication between hosts and guests; payment processing; Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.airbnb.de. Privacy policy: https://www.airbnb.de/help/article/2855/datenschutzerklärung.
  • Booking.com Partner Programme: Affiliate marketing partner programme; Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.booking.com. Privacy policy: https://www.booking.com/content/privacy.de.html.

Payment Processing

In the context of contractual and other legal relationships, due to statutory obligations or otherwise on the basis of our legitimate interests, we offer data subjects efficient and secure payment options and, for this purpose, use banks and credit institutions as well as other service providers (collectively “payment service providers”). Payment transactions are carried out exclusively via encrypted connections in accordance with the state of the art, so that data entered is protected against unauthorised access during transmission.

Data processed by payment service providers includes identity data such as name and address, banking details such as account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, amount and recipient-related information. This information is required to carry out transactions. However, the data entered is processed and stored only by the payment service providers. This means we do not receive account- or credit-card-related information, but only information confirming or rejecting a payment. In some cases, payment service providers may transfer data to credit reference agencies for the purpose of identity and creditworthiness checks. Please refer to the terms and privacy notices of the respective payment service providers.

The terms and privacy notices of the respective payment service providers apply to payment transactions and can be accessed within their websites and/or transaction applications. We also refer to them for further information and for exercising rights such as withdrawal, access and other data subject rights.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Service recipients and clients; business and contractual partners; prospective customers and enquirers.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; business processes and economic operations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • PayPal: Payment services (technical integration of online payment methods) (e.g. PayPal, PayPal Plus, Braintree); Service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; Legal basis: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); Website: https://www.paypal.com/de. Privacy policy: https://www.paypal.com/de/legalhub/paypal/privacy-full.

Provision of the Online Offering and Web Hosting

We process users’ data in order to make our online services available to them. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); log data (e.g. log files relating to logins, retrieval of data or access times); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers); contract data (e.g. subject matter, term, customer category).
  • Data subjects: Users (e.g. website visitors, users of online services); service recipients and clients; prospective customers and enquirers; business and contractual partners.
  • Purposes of processing and legitimate interests: Provision of our online offering and user-friendliness; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); security measures; provision of contractual services and fulfilment of contractual obligations; conversion tracking (measuring the effectiveness of marketing activities); marketing.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Provision of the online offering on rented server space: To provide our online offering, we use storage space, computing capacity and software that we rent or otherwise obtain from a server provider (also referred to as a “web host”); Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called “server log files”. Server log files may include the address and name of the retrieved web pages and files, date and time of retrieval, the amount of data transferred, a message indicating successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), and generally IP addresses and the requesting provider. Server log files may be used for security purposes, for example to prevent server overload (in particular in the event of abusive attacks such as DDoS attacks), and to ensure server utilisation and stability; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR). Erasure of data: Log file information is stored for a maximum of 30 days and is then erased or anonymised. Data that must be retained for evidential purposes is exempt from erasure until the relevant incident has been finally resolved.
  • Email sending and hosting: Our web hosting services also include the sending, receiving and storage of emails. For these purposes, recipient and sender addresses, further information relating to the email transmission (e.g. the providers involved), and the content of the respective emails are processed. The above data may also be processed for the purpose of detecting spam. Please note that emails are generally not end-to-end encrypted on the internet. Emails are usually encrypted during transmission, but (unless end-to-end encryption is used) they are not encrypted on the servers from which they are sent and received. We therefore cannot assume responsibility for the transmission path of emails between the sender and receipt on our server; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • 1&1 IONOS: Services in the field of IT infrastructure provision and related services (e.g. storage space and/or computing capacity); Service provider: 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.ionos.de; Privacy policy: https://www.ionos.de/terms-gtc/terms-privacy. Data processing agreement: https://www.ionos.de/hilfe/datenschutz/allgemeine-informationen-zur-datenschutz-grundverordnung-dsgvo/vereinbarung-zur-auftragsverarbeitung-avv-mit-ionos-abschliessen/.
  • WooCommerce: E-commerce software for operating online shops, processing payments and supporting customer management processes; Service provider: Operated on servers and/or computers under our own data protection responsibility; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://woocommerce.com/. Privacy policy: https://automattic.com/privacy/.
  • gstatic.com: Content Delivery Network (CDN) – a service that enables content of an online offering, in particular large media files such as graphics or programme scripts, to be delivered faster and more securely via regionally distributed servers connected through the internet; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.google.de/. Privacy policy: https://policies.google.com/privacy.
  • W3 Total Cache: Caching and load optimisation – functions that store certain website content so that it can be loaded more quickly upon repeat visits. This reduces load times and improves user experience; Service provider: Operated on servers and/or computers under our own data protection responsibility; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR). Website: https://www.boldgrid.com/w3-total-cache/.

Use of Cookies

“Cookies” refers to functions that store information on users’ devices and read information from them. Cookies may also be used for various purposes, such as ensuring functionality, security and convenience of online offerings, as well as analysing visitor traffic. We use cookies in accordance with the applicable legal requirements. Where necessary, we obtain users’ prior consent. Where consent is not required, we rely on our legitimate interests. This applies where storing and reading information is essential in order to provide content and functions expressly requested by the user. This includes, for example, storing settings and ensuring the functionality and security of our online offering. Consent can be withdrawn at any time. We provide clear information on the scope of consent and which cookies are used.

Information on legal bases under data protection law: Whether we process personal data by means of cookies depends on whether we have consent. Where consent has been given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as explained above in this section and in the context of the relevant services and procedures.

Storage duration: With regard to storage duration, the following types of cookies are distinguished:

  • Temporary cookies (also called session cookies): Temporary cookies are erased at the latest after a user leaves an online offering and closes their device (e.g. browser or mobile application).
  • Persistent cookies: Persistent cookies remain stored even after the device is closed. For example, the login status may be stored and preferred content displayed directly when the user visits a website again. Usage data collected by cookies may also be used for reach measurement and analytics. Unless we provide users with explicit information about the type and storage duration of cookies (e.g. when obtaining consent), users should assume that cookies are persistent and that the storage duration may be up to two years.

General information on withdrawal and objection (opt-out): Users can withdraw any consent they have given at any time and can also object to processing in accordance with the applicable legal requirements, including via the privacy settings of their browser.

  • Types of data processed: Meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Legal bases: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); consent (Article 6(1)(a) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution to obtain, record, manage and allow withdrawal of users’ consent to the use of cookies or the procedures and providers named within the consent management solution. This process serves the collection, logging, management and withdrawal of consent, in particular with regard to cookies and comparable technologies used to store, read and process information on users’ devices. Within this process, users’ consent is obtained for the use of cookies and for the related processing of information, including the specific processing activities and providers listed in the consent management process. Users can also manage and withdraw their consent. Consent declarations are stored to avoid repeated requests and to be able to demonstrate consent in accordance with legal requirements. Storage takes place server-side and/or in a cookie (so-called “opt-in cookie”) or via comparable technologies in order to associate the consent with a specific user or their device. Unless specific information about consent management providers is available, the following general information applies: consent is stored for up to two years. A pseudonymous user identifier is created and stored together with the time of consent, information on the scope of consent (e.g. relevant cookie categories and/or service providers), and information about the browser, system and device used; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR).
  • consentmanager: Storage and management of consents (consent to cookies and data processing), logging of users’ decisions, display of information on data protection and cookies, enabling users to withdraw or adjust consent; Service provider: Jaohawi AB, Håltegelvägen 1b, 72348 Västerås, Sweden; Website: https://www.consentmanager.de/; Privacy policy: https://www.consentmanager.net/; Data processing agreement: https://www.consentmanager.net/tac.php. Further information: The following data is stored on the service provider’s servers within the EU: identification number (for the user, their browser, operating system and device), IP address, date and time, country, language, type, scope and purpose of consent, browser cookie settings, website on which consent was given, and technical information about the browser and operating system.

Blogs and Online Publications

We use blogs or comparable means of online communication and publication (hereinafter “publication medium”). Readers’ data is processed for the purposes of the publication medium only insofar as this is necessary for its presentation and for communication between authors and readers or for security reasons. Otherwise, we refer to the information on the processing of visitors to our publication medium within this Privacy Policy.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Feedback (e.g. collecting feedback via online forms); provision of our online offering and user-friendliness; security measures; provision of contractual services and fulfilment of contractual obligations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Akismet anti-spam check: We use the “Akismet” service on the basis of our legitimate interests. Akismet distinguishes comments by real people from spam comments. For this purpose, all comment information is sent to a server in the United States, where it is analysed and stored for comparison purposes for four days. If a comment is classified as spam, the data is stored beyond this period. This information includes the name entered, email address, IP address, comment content, referrer, information about the browser and computer system used, and the time of entry.

    Users are welcome to use pseudonyms or to refrain from entering their name or email address. Users can prevent the transfer of data completely by not using our comment system. That would be a shame, but we currently see no alternatives that work as effectively; Service provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://automattic.com; Privacy policy: https://automattic.com/privacy/; Data processing agreement: Provided by the service provider. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses (provided by the service provider); Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses (provided by the service provider).
  • ManageWP: Management of WordPress websites; Service provider: ManageWP, LLC, 14455 N. Hayden Rd, Ste. 219, Scottsdale, AZ 85260, USA; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://managewp.com/; Privacy policy: https://managewp.com/privacy-policy/; Data processing agreement: https://www.godaddy.com/legal/agreements/data-processing-addendum. Safeguards for international transfers: EU/EEA – Standard Contractual Clauses; Switzerland – Standard Contractual Clauses (see: https://www.godaddy.com/legal/agreements/data-processing-addendum).

Contact and Enquiry Management

When contacting us (e.g. by post, contact form, email, telephone or via social media), and within existing user and business relationships, the information provided by the enquiring persons is processed insofar as this is necessary to respond to contact enquiries and any requested measures.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons); identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contract data (e.g. subject matter, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions).
  • Data subjects: Communication partners; prospective customers and enquirers; business and contractual partners; tenants; service recipients and clients.
  • Purposes of processing and legitimate interests: Communication; administrative and organisational management; feedback (e.g. collecting feedback via online forms); provision of our online offering and user-friendliness; provision of contractual services and fulfilment of contractual obligations; office and organisational procedures.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Contact form: When you contact us via our contact form, by email or via other communication channels, we process the personal data you provide in order to respond to and handle your request. This usually includes information such as name, contact details and, where applicable, further information communicated by you that is required for appropriate handling. We use this data solely for the purpose of contacting you and communicating with you; Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Contact Form 7: Management of contact enquiries and communications; Service provider: Rock Lobster, LLC; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://contactform7.com/. Further information: Operated within our own hosting environment.
  • Smoobu: Booking management, calendar synchronisation across channels, invoicing, guest communication, provision of a booking portal and analysis of rental data; Service provider: Smoobu GmbH, Wönnichstr. 68/70, 10317 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/; Privacy policy: https://www.smoobu.com/de/datenschutz/. Data processing agreement: Provided by the service provider.
  • Smoobu: Booking platform and CRM system for communication with guests. It enables accommodation providers to manage their rooms online, receive bookings and communicate with guests. The platform provides functions such as managing availability, prices and reservations and automatic synchronisation with various online booking portals. In addition, the CRM system enables effective communication with guests via channels such as email or messaging services. The tool facilitates the overall booking process and improves the efficiency of accommodation management; Service provider: Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany; Legal bases: Performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/. Privacy policy: https://www.smoobu.com/de/datenschutz/.

Communication via Messaging Services

We use messaging services for communication and therefore ask you to take note of the following information regarding how the messaging services function, encryption, the use of communication metadata and your options to object.

You can also contact us via alternative channels, for example by telephone or email. Please use the contact options provided to you or those stated within our online offering.

Where end-to-end encryption of content is used (i.e. the content of your message and attachments), we note that the communication content (i.e. the message content and attached images) is encrypted end-to-end. This means that the content of messages is not accessible, not even to the messaging service providers themselves. You should always use an up-to-date version of the messaging service with encryption enabled to ensure that message content is encrypted.

However, we also note that while messaging service providers may not be able to view the content, they may learn that and when communication partners communicate with us, and technical information about the device used by the communication partners and, depending on the device settings, location information may be processed (so-called metadata).

Information on legal bases: Where we request permission from communication partners before communicating with them via a messaging service, the legal basis for processing their data is their consent. Otherwise, where we do not request consent and you contact us on your own initiative, we use messaging services in relation to our contractual partners and during contract initiation as a contractual measure, and in the case of other prospective customers and communication partners on the basis of our legitimate interests in fast and efficient communication and in meeting the needs of our communication partners to communicate via messaging services. We also note that we do not transmit contact data provided to us to messaging service providers for the first time without your consent.

Withdrawal, objection and erasure: You can withdraw any consent you have given at any time and object to communication with us via messaging services at any time. In the case of communication via messaging services, we erase messages in accordance with our general erasure policies (e.g. after the end of contractual relationships, in the context of archiving requirements, etc.) and otherwise as soon as we can assume that any enquiry has been answered, provided that no reference to a previous conversation is expected and no statutory retention obligations prevent erasure.

Reservation regarding referral to other communication channels: To ensure your security, please understand that in certain cases we may not be able to respond to enquiries via messaging services. This applies, for example, where contractual details must be treated as particularly confidential or where a response via messaging services does not meet formal requirements. In such cases, we recommend using more suitable communication channels.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, involved persons).
  • Data subjects: Communication partners.
  • Purposes of processing and legitimate interests: Communication; direct marketing (e.g. by email or post).
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR); performance of a contract and pre-contractual measures (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • WhatsApp: A communication service that enables the sending and receiving of text messages, voice messages, images, videos, documents, and voice and video calls via the internet. Communication is protected by end-to-end encryption, meaning content is accessible only to the communication partners involved. To provide the service, the platform processes metadata (e.g. phone numbers, timestamps, device information) and may use such data to improve functionality, security and service optimisation; Service provider: WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.whatsapp.com/; Privacy policy: https://www.whatsapp.com/legal/privacy-policy-eea. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF).

Artificial Intelligence (AI)

We use Artificial Intelligence (AI) where personal data may be processed. The specific purposes and our interest in the use of AI are set out below. For the purposes of this Privacy Policy, “AI” shall be understood in accordance with the definition of an “AI system” under Article 3(1) of the EU AI Act, namely a machine-based system designed to operate with varying levels of autonomy, which may exhibit adaptiveness after deployment and which, for explicit or implicit objectives, generates outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments.

Our AI systems are used in strict compliance with applicable legal requirements. These include both specific regulations governing artificial intelligence and applicable data protection laws. In particular, we adhere to the principles of lawfulness, transparency, fairness, human oversight, purpose limitation, data minimisation, integrity and confidentiality. We ensure that any processing of personal data is based on a valid legal basis, which may include the consent of the data subject or a statutory authorisation.

Where we use external AI systems, we carefully select their providers (hereinafter “AI providers”). In accordance with our legal obligations, we ensure that AI providers comply with applicable laws. We also observe our own obligations when using or operating AI services obtained from third parties. Any processing of personal data by us and by AI providers is carried out solely on the basis of consent or a statutory legal basis. We place particular emphasis on transparency, fairness and maintaining human oversight over AI-supported decision-making processes.

To protect the data processed, we implement appropriate and robust technical and organisational measures. These measures ensure the integrity and confidentiality of the processed data and minimise potential risks. Through regular reviews of AI providers and their services, we ensure ongoing compliance with current legal and ethical standards.

  • Types of data processed: Content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services); third parties.
  • Purposes of processing and legitimate interests: Use of Artificial Intelligence (AI).
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Adobe AI: AI-supported tools and functions within Adobe products that support creative processes. Adobe AI provides features such as automated image editing, content generation and intelligent image enhancements to optimise creative workflows; Service provider: Adobe Systems Software Ireland Limited, 4-6 Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://business.adobe.com/de/ai/adobe-genai.html; Privacy policy: https://www.adobe.com/de/privacy.html; Data processing agreement: Provided by the service provider. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses (provided by the service provider); Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses (provided by the service provider).
  • ChatGPT: AI-based service designed to understand and generate natural language and related inputs, analyse information and make predictions (“AI” being understood in the applicable legal sense); Service provider: OpenAI Ireland Ltd, 117–126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://openai.com/de-DE/chatgpt/overview/; Privacy policy: https://openai.com/de-DE/policies/privacy-policy/. Right to object (opt-out): https://privacy.openai.com/policies?modal=select-subject.
  • DeepL: Translation of texts into various languages and provision of synonyms and contextual examples; support in correcting and improving texts in different languages; Service provider: DeepL SE, Maarweg 165, 50825 Cologne, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.deepl.com; Privacy policy: https://www.deepl.com/de/privacy. Data processing agreement: Provided by the service provider.
  • Google Gemini: AI-supported system designed to provide advanced language and image processing capabilities. It uses machine learning to understand and generate natural language and analyse images, offering versatile applications across various areas; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://business.safety.google/processorterms/?hl=de. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
  • Midjourney: Creation of AI-generated images based on text prompts; refinement of generated images through iterative prompts; storage and management of created content; provision of an online platform for interaction with other users and sharing results; Service provider: Midjourney, Inc., 795 Folsom Street, 1st Floor, San Francisco, CA 94107, USA; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.midjourney.com/; Privacy policy: https://docs.midjourney.com/docs/privacy-policy.

Video Conferences, Online Meetings, Webinars and Screen Sharing

We use platforms and applications provided by third parties (hereinafter “conference platforms”) for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (collectively “conferences”). When selecting conference platforms and their services, we comply with applicable legal requirements.

Data processed by conference platforms: In the context of participation in a conference, conference platforms process the personal data of participants listed below. The scope of processing depends, on the one hand, on the data required for a specific conference (e.g. access credentials or real names) and, on the other hand, on the optional information provided by participants. In addition to processing for the purpose of conducting the conference, participants’ data may also be processed by conference platforms for security purposes or service optimisation. Processed data includes personal details (first name, last name), contact information (email address, telephone number), access data (access codes or passwords), profile pictures, information about professional role or function, IP address, information about participants’ devices, their operating system, browser and technical and language settings, information on communication content (e.g. chat entries, audio and video data) and use of other available functions (e.g. polls). Communication content is encrypted to the extent technically provided by the conference provider. If participants are registered users of the conference platform, further data may be processed in accordance with the agreement with the respective provider.

Logging and recordings: If text entries, participation results (e.g. from polls) or video or audio recordings are logged, participants will be informed transparently in advance and, where required, their consent will be obtained.

Data protection measures by participants: Please refer to the privacy notices of the respective conference platforms for details on the processing of your data and select the optimal security and privacy settings within the conference platform. During video conferences, please also ensure data protection and protection of your personal rights in the background of your recording (e.g. by informing cohabitants, locking doors and using background blurring where technically possible). Links to conference rooms and access data must not be disclosed to unauthorised third parties.

Information on legal bases: Where, in addition to the conference platforms, we also process users’ data and request their consent to use the conference platforms or certain functions (e.g. consent to recording conferences), the legal basis for processing is that consent. Furthermore, our processing may be necessary to fulfil contractual obligations (e.g. in participant lists or when documenting discussion results). Otherwise, users’ data is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); image and/or video recordings (e.g. photographs or video recordings of a person); audio recordings; log data (e.g. log files relating to logins or retrieval of data or access times).
  • Data subjects: Communication partners; users (e.g. website visitors, users of online services); persons depicted.
  • Purposes of processing and legitimate interests: Provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Google Hangouts / Meet: Conference and communication software; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://hangouts.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
  • Microsoft Teams: Used for conducting online events and conferences and for communication with internal and external participants. Functions used include voice transmission, direct messaging, group communication and collaboration features. Data processed includes name, business contact details, work profile, participation and content (audio/video, voice, chat, files, speech transcription) for purposes and on the basis of interests in efficiency and productivity gains, cost efficiency, flexibility, mobility, improved communication, IT security, use of a central platform and business processing by Microsoft. Audio signals are generally not stored unless recording is activated. Meeting and conference recordings are stored for 90 days by default unless a different period is defined. Chat and file content are stored in accordance with policies set by the administrator or user; by default, no automatic deletion is configured. Channels must be renewed every 180 days, otherwise content is deleted. In addition, system-generated log, diagnostic and metadata are processed, as well as diagnostic data for product stability, security and improvement; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.microsoft.com/de-de/microsoft-teams/; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement; Security information: https://www.microsoft.com/de-de/trustcenter. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
  • Zoom: Video conferences, online meetings, webinars, screen sharing, optional recording of sessions, chat function, integration with calendars and other applications; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://zoom.us; Privacy policy: https://explore.zoom.us/de/privacy/; Data processing agreement: https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.

Cloud Services

We use software services accessible via the internet and operated on the servers of their providers (so-called “cloud services”, also referred to as “Software as a Service”) for the storage and management of content (e.g. document storage and management, exchange of documents, content and information with specific recipients or publication of content and information).

In this context, personal data may be processed and stored on the providers’ servers to the extent that such data forms part of communication processes with us or is otherwise processed by us as described in this Privacy Policy. Such data may include, in particular, identity data and contact data of users, data relating to transactions, contracts and other processes and their content. Cloud service providers also process usage data and metadata, which they use for security purposes and service optimisation.

If we use cloud services to provide forms or other documents and content to other users or publicly accessible websites, the providers may store cookies on users’ devices for web analytics purposes or to remember user settings (e.g. in the case of media controls).

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); image and/or video recordings (e.g. photographs or video recordings of a person).
  • Data subjects: Prospective customers and enquirers; communication partners; business and contractual partners; users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Office and organisational procedures; IT infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.)); provision of contractual services and fulfilment of contractual obligations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Adobe Creative Cloud: Cloud storage, cloud infrastructure services and cloud-based application software, including for photo editing, video editing, graphic design and web development; Service provider: Adobe Systems Software Ireland Limited, 4-6 Riverwalk Drive, Citywest Business Campus, Brownsbarn, Dublin 24, D24 DCW0, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.adobe.com/de/creativecloud.html; Privacy policy: https://www.adobe.com/de/privacy.html; Data processing agreement: Provided by the service provider. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses.
  • Google Cloud Services: Cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses. Further information: https://cloud.google.com/privacy.
  • Google Cloud Storage: Cloud storage, cloud infrastructure services and cloud-based application software; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://cloud.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses. Further information: https://cloud.google.com/privacy.
  • Google Workspace: Cloud-based application software (e.g. word processing and spreadsheets, calendar and contact management), cloud storage and cloud infrastructure services; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://workspace.google.com/; Privacy policy: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum. Safeguards for international transfers: EU/EEA – Data Privacy Framework (DPF) and Standard Contractual Clauses; Switzerland – Data Privacy Framework (DPF) and Standard Contractual Clauses. Further information: https://cloud.google.com/privacy.
  • Apple iCloud: Cloud storage service; Service provider: Apple Inc., One Apple Park Way, Cupertino, CA 95014, USA; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.apple.com/de/; Privacy policy: https://www.apple.com/legal/privacy/de-ww/.

Newsletters and Electronic Notifications

We send newsletters, emails and other electronic notifications (hereinafter “Newsletters”) only with the consent of the recipients or on the basis of a statutory legal provision. Where the content of the Newsletter is described during the subscription process, such content is decisive for the user’s consent. As a rule, providing your email address is sufficient to subscribe to our Newsletter. However, in order to provide a personalised service, we may request your name for personal salutation purposes or further information where this is necessary for the purpose of the Newsletter.

Erasure and restriction of processing: We may store unsubscribed email addresses for up to three years on the basis of our legitimate interests before deleting them, in order to be able to demonstrate previously given consent. The processing of such data is limited to the purpose of a potential defence against legal claims. An individual request for erasure is possible at any time, provided that the former existence of consent is simultaneously confirmed. In cases where we are obliged to permanently observe objections, we reserve the right to store the email address solely for this purpose in a suppression list (“blocklist”).

The logging of the subscription process is carried out on the basis of our legitimate interests for the purpose of evidencing its proper execution. Where we engage a service provider to send emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.

Content:

Information about us, our services, promotions and offers.

  • Types of data processed: Identity data (e.g. full name, residential address, contact information, customer number, etc.); contact data (e.g. postal and email addresses or telephone numbers); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); payment data (e.g. bank details, invoices, payment history); contractual data (e.g. subject matter of the contract, term, customer category); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation).
  • Data subjects: Communication partners; prospective customers and enquirers; business and contractual partners; tenants; service recipients and clients.
  • Purposes of processing and legitimate interests: Direct marketing (e.g. by email or post); reach measurement (e.g. access statistics, recognition of returning visitors); provision of contractual services and fulfilment of contractual obligations; communication; office and organisational procedures; administrative procedures; provision of our online services and user-friendliness.
  • Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); performance of a contract and pre-contractual enquiries (Article 6(1)(b) UK GDPR / EU GDPR).
  • Right to object (opt-out): You may unsubscribe from our Newsletter at any time, i.e. withdraw your consent or object to further receipt. A link to unsubscribe can be found at the end of each Newsletter or you may use one of the contact options provided above, preferably by email.

Further information on processing activities, procedures and services:

  • Measurement of open and click rates: Newsletters contain so-called “web beacons”, i.e. pixel-sized files that are retrieved from our server or, if we use a dispatch service provider, from its server when the Newsletter is opened. As part of this retrieval, technical information (e.g. information about your browser and system), your IP address and the time of retrieval are initially collected. This information is used for the technical improvement of our Newsletter based on technical data or target groups and their reading behaviour, determined by retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether and when Newsletters are opened and which links are clicked. The information collected is assigned to individual Newsletter recipients and stored in their profiles until deletion. On this basis, user profiles are created in which usage behaviour and characteristics are stored. The measurement of open and click rates and the storage and further processing of the results in user profiles are carried out on the basis of user consent. A separate withdrawal of consent for performance measurement is not possible; in this case, the entire Newsletter subscription must be cancelled. Stored profile information will then be deleted; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR).
  • Order process reminder emails: If users do not complete an order process, we may remind them by email and provide a link to continue the process. This function may be useful, for example, if the purchase process was not completed due to a browser crash, oversight or forgetfulness. Dispatch is based on consent, which users may withdraw at any time; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR).
  • Brevo: Email dispatch and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/legal/privacypolicy/; Data processing agreement: Provided by the service provider.
  • Smoobu: Management of bookings, calendar synchronisation across various channels, invoicing, communication with guests, provision of a booking portal and analysis of rental data; Service provider: Smoobu GmbH, Wönnichstr. 68/70, 10317 Berlin, Germany; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/; Privacy policy: https://www.smoobu.com/de/datenschutz/; Data processing agreement: Provided by the service provider.
  • Smoobu: Booking platform for accommodation and CRM system for guest communication. It enables operators to manage rooms online, receive bookings and communicate with guests. The platform offers functions such as managing availability, prices and reservations as well as automatic synchronisation with various online booking portals. In addition, the CRM system enables effective communication with guests via email or messaging services. The tool facilitates the entire booking process and improves operational efficiency; Service provider: Smoobu GmbH, Pappelallee 78/79, 10437 Berlin, Germany; Legal bases: Performance of a contract and pre-contractual enquiries (Article 6(1)(b) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.smoobu.com/de/; Privacy policy: https://www.smoobu.com/de/datenschutz/.

Web Analytics, Monitoring and Optimisation

Web analytics (also referred to as “reach measurement”) is used to evaluate visitor flows to our online services and may include behaviour, interests or demographic information about visitors, such as age or gender, as pseudonymous values. By means of reach analysis, we can, for example, identify the times at which our online services or their functions or content are most frequently used or invite reuse. We can also identify areas requiring optimisation.

In addition to web analytics, we may use testing procedures, for example to test and optimise different versions of our online services or their components.

Unless otherwise stated below, profiles, i.e. data summarised for a usage process, may be created for these purposes and information may be stored in and subsequently read from a browser or end device. The data collected includes, in particular, visited websites and elements used there as well as technical information such as the browser used, the computer system used and information about usage times. Where users have consented to the collection of their location data by us or by the providers of the services we use, location data may also be processed.

Users’ IP addresses are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. As a rule, no clear personal data (such as email addresses or names) is stored in the context of web analytics, A/B testing and optimisation, but rather pseudonyms. This means that neither we nor the providers of the software used know the actual identity of users, but only the information stored in their profiles for the purposes of the respective procedures.

Information on legal bases: Where we request users’ consent to use third-party providers, the legal basis for processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and user-friendly services). In this context, please also refer to the information on the use of cookies in this Privacy Policy.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved).
  • Data subjects: Service recipients and clients; users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest/behaviour-based profiling, use of cookies); audience building; A/B testing; marketing; profiles with user-related information (creation of user profiles); remarketing; provision of our online services and user-friendliness.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Online Marketing

We process personal data for the purposes of online marketing. This may include, in particular, the marketing of advertising space or the display of promotional and other content (collectively “Content”) based on users’ potential interests, as well as measuring the effectiveness of such Content.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”) or similar methods are used by which the information relevant for displaying the above Content is stored for the user. This may include, for example, content viewed, websites visited, online networks used, as well as communication partners and technical information such as the browser used, the computer system used and information about usage times and functions used. Where users have consented to the collection of their location data, this may also be processed.

In addition, users’ IP addresses are stored. However, we use available IP masking methods (i.e. pseudonymisation by truncating the IP address) to protect users. In general, no clear personal data (such as email addresses or names) is stored as part of online marketing procedures, but rather pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual identity of the users, but only the information stored in their profiles.

The statements within the profiles are generally stored in cookies or by means of similar methods. These cookies can typically also be read on other websites that use the same online marketing procedure and analysed for the purpose of displaying Content, supplemented with further data and stored on the server of the online marketing procedure provider.

By way of exception, it may be possible to assign clear personal data to profiles, primarily where users are, for example, members of a social network whose online marketing procedures we use and the network links user profiles with the information described above. Please note that users may enter into additional agreements with providers, for example by giving consent during registration.

As a rule, we only receive access to aggregated information about the success of our advertisements. However, as part of so-called conversion measurement, we can check which of our online marketing procedures has led to a so-called conversion, i.e. for example, the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.

Unless otherwise stated, please assume that cookies used are stored for a period of two years.

Information on legal bases: Where we ask users for their consent to the use of third-party providers, the legal basis for processing is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, please also refer to the information on the use of cookies in this Privacy Policy.

Information on withdrawal of consent and objection:

We refer to the privacy information of the respective providers and the objection options (“opt-out”) indicated for those providers. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, this may restrict the functionality of our online services. We therefore also recommend the following opt-out options, which are offered in a consolidated manner for the respective regions:

a) Europe: https://www.youronlinechoices.eu.

b) Canada: https://youradchoices.ca/.

c) USA: https://optout.aboutads.info/.

d) Cross-regional: https://optout.aboutads.info.

  • Types of data processed: Content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); event data (Facebook) (“Event Data” is information sent to Meta, for example via the Meta Pixel (whether via apps or other channels), and relates to individuals or their actions. This includes, for example, details of website visits, interactions with content and functions, app installations and product purchases. Event Data is processed with the aim of creating audiences for content and advertising messages (“Custom Audiences”). It is important to note that Event Data does not include actual content such as written comments, login information or contact information such as names, email addresses or telephone numbers. Event Data is deleted by Meta after a maximum of two years, and the audiences derived from it disappear when our Meta user accounts are deleted.); contact information (Facebook) (“Contact Information” is data that clearly identifies individuals, such as names, email addresses and telephone numbers, which may be transferred to Facebook, for example via the Facebook Pixel or upload for matching purposes in order to create Custom Audiences. After matching for the purpose of audience creation, the Contact Information is deleted).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behaviour-based profiling, use of cookies); conversion measurement (measuring the effectiveness of marketing measures); audience building; marketing; profiles with user-related information (creation of user profiles); provision of our online services and user-friendliness; remarketing.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).
  • Security measures: IP masking (pseudonymisation of the IP address).
  • Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Meta Pixel and audience building (Custom Audiences): Using the Meta Pixel (or comparable functions for transmitting Event Data or Contact Information via interfaces in apps), Meta is able to identify visitors to our online services as a target group for the display of ads (“Meta Ads”). Accordingly, we use the Meta Pixel to ensure that the Meta Ads placed by us are shown only to those users on Meta platforms and within the services of partners cooperating with Meta (the so-called “Audience Network” https://www.facebook.com/audiencenetwork/) who have shown an interest in our online services or who have certain characteristics (e.g. interest in specific topics or products that can be inferred from the websites visited) that we transmit to Meta (“Custom Audiences”). We also use the Meta Pixel to help ensure that our Meta Ads match users’ potential interests and are not intrusive. The Meta Pixel also enables us to evaluate the effectiveness of Meta Ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Meta Ad (“conversion measurement”); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1)(a) EU GDPR / UK GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: Users’ Event Data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership arrangement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company established in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes transfers to the parent company Meta Platforms, Inc. in the USA (on the basis of Standard Contractual Clauses agreed between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Advanced matching for the Meta Pixel: In addition to processing Event Data when using the Meta Pixel (or comparable functions, e.g. in apps), Contact Information (data that identifies individuals, such as names, email addresses and telephone numbers) may also be collected by Meta within our online services or transferred to Meta. Processing of Contact Information serves to build audiences (“Custom Audiences”) for the display of content and advertising information aligned with users’ presumed interests. Collection, transfer and matching with data held by Meta does not take place in plain text, but as so-called hash values, i.e. mathematical representations of the data (a method also used, for example, when storing passwords). After matching for the purpose of audience creation, the Contact Information is deleted; Legal basis: Consent (Article 6(1)(a) EU GDPR / UK GDPR); Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Further information: https://www.facebook.com/legal/terms/data_security_terms.
  • Meta – audience building via data upload: Creation of audiences for marketing purposes – we transfer Contact Information (names, email addresses and telephone numbers) in list form to Meta for the purpose of creating audiences (“Custom Audiences”) for the display of content and advertising information aligned with users’ presumed interests. The transfer and matching with data held by Meta does not take place in plain text, but as so-called hash values, i.e. mathematical representations of the data (a method also used, for example, when storing passwords). After matching for the purpose of audience creation, the Contact Information is deleted; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1)(a) EU GDPR / UK GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Data processing agreement: https://www.facebook.com/legal/terms/dataprocessing; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum); Switzerland – Data Privacy Framework (DPF), Standard Contractual Clauses (https://www.facebook.com/legal/EU_data_transfer_addendum).
  • Facebook ads: Placing advertisements within the Facebook platform and evaluating ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1)(a) EU GDPR / UK GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/privacy/policy/; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Opt-out: We refer to privacy and advertising settings in users’ profiles on Facebook platforms and to Facebook’s consent procedures and contact options for exercising access and other data subject rights, as described in Facebook’s privacy policy; Further information: Users’ Event Data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership arrangement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). The joint controllership is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company established in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which in particular includes transfers to the parent company Meta Platforms, Inc. in the USA (on the basis of Standard Contractual Clauses agreed between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
  • Google Ad Manager: We use “Google Ad Manager” to place ads in Google’s advertising network (e.g. in search results, in videos, on websites, etc.). Google Ad Manager is characterised by displaying ads in real time based on presumed user interests. This enables us to show ads for our online services to users who may have a potential interest in our offering or who have previously shown interest in it, and to measure the success of the ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/; Controller terms and Standard Contractual Clauses for international transfers: https://business.safety.google/adscontrollerterms. Where Google acts as a processor: processor terms and Standard Contractual Clauses: https://business.safety.google/adsprocessorterms.
  • Google Ads and conversion measurement: Online marketing procedure for placing content and ads within the service provider’s advertising network (e.g. in search results, in videos, on websites, etc.) so that they are shown to users who are presumed to be interested in the ads. In addition, we measure conversions of the ads, i.e. whether users have taken the ads as an opportunity to interact with them and use the advertised offers (so-called conversions). However, we receive only anonymous information and no personal information about individual users; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR) and/or legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Controller terms and Standard Contractual Clauses for international transfers: https://business.safety.google/adscontrollerterms.
  • Google Ads – Enhanced Conversions: Enhanced Conversions are used to measure and optimise advertising performance. This is an extension of existing conversion tracking (measuring user actions such as purchases or enquiries) in which certain first-party data provided by users (data collected directly by the website operator, e.g. email address or telephone number) is technically processed to attribute conversions more reliably to an ad. Processing takes place exclusively in hashed form using the cryptographic one-way hash algorithm SHA-256 (a mathematical method for irreversible transformation of data). Personal data is encrypted before transmission so that it is not in plain text and cannot be reversed. The hashed data is transmitted to Google either at the time of a conversion on the website or, for so-called lead conversions (conversions occurring outside the website, e.g. by telephone or email), at a later time. Transmission takes place either client-side via a tag (tracking code, e.g. via Google Tag Manager) or server-side via an API. In server-side transmissions, data is transmitted via an HTTPS connection (encrypted internet connection). The purpose is to correctly record and attribute conversions even where conventional tracking methods such as cookies or device identifiers are restricted or unavailable. The hashed data may be matched with existing Google accounts where users are logged in at the time of conversion. Processing is used solely for conversion measurement, evaluation of campaign success and optimisation of automated bidding strategies based on first-party data; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Controller terms and Standard Contractual Clauses for international transfers: https://business.safety.google/adscontrollerterms.
  • Google Ads remarketing: Google remarketing, also called retargeting, is a technology by which users who use an online service are added to a pseudonymous remarketing list so that ads can be displayed to them on other online services based on their visit to the online service; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR); Website: https://marketingplatform.google.com; Privacy policy: https://policies.google.com/privacy; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Further information: Types of processing and data processed: https://business.safety.google/adsservices/. Controller terms and Standard Contractual Clauses for international transfers: https://business.safety.google/adscontrollerterms.
  • Enhanced Conversions for Google Ads: If users click on our Google ads and subsequently use the advertised service (“conversion”), user-entered data such as email address, name, residential address or telephone number may be transmitted to Google. The hash values are then matched with existing Google accounts to better evaluate and improve users’ interactions with the ads (e.g. clicks or views) and therefore their performance; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR); Website: https://support.google.com/google-ads/answer/9888656.
  • Instagram ads: Placing advertisements within the Instagram platform and evaluating ad results; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Opt-out: We refer to privacy and advertising settings in users’ profiles on Instagram and to Instagram’s consent procedures and contact options for exercising access and other data subject rights as described in Instagram’s privacy policy; Further information: Users’ Event Data, i.e. behavioural and interest information, is processed for the purposes of targeted advertising and audience building on the basis of the joint controllership arrangement (“Controller Addendum”, https://www.facebook.com/legal/controller_addendum). Joint controllership is limited to the collection and transfer of data to Meta Platforms Ireland Limited, a company established in the EU. Further processing is the sole responsibility of Meta Platforms Ireland Limited, including transfers to the parent company Meta Platforms, Inc. in the USA.
  • Facebook Conversions API: We use Facebook’s “Conversions API”. The Conversions API is an interface that enables Event Data to be sent directly from our servers to Facebook. The operation and processing of data under the Conversions API correspond to the operation and processing under the use of the Facebook Pixel; to that extent we refer to the information on the Facebook Pixel and audience building; Legal basis: Consent (Article 6(1)(a) UK GDPR / EU GDPR).

Customer Reviews and Rating Procedures

We participate in review and rating procedures to evaluate, optimise and promote our services. Where users rate us via the participating rating platforms or procedures or otherwise provide feedback, the general terms and conditions or terms of use and the privacy notices of the providers also apply. As a rule, submitting a review also requires registration with the respective providers.

To ensure that the persons providing the rating have actually used our services, we transmit, with the customers’ consent, the data required for this purpose relating to the customer and the service used to the respective rating platform (including name, email address and order number or item number). This data is used solely to verify the authenticity of the user.

  • Types of data processed: Contractual data (e.g. subject matter of the contract, term, customer category); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); identity data (e.g. full name, residential address, contact information, customer number, etc.); payment data (e.g. bank details, invoices, payment history); contact data (e.g. postal and email addresses or telephone numbers).
  • Data subjects: Service recipients and clients; users (e.g. website visitors, users of online services); prospective customers and enquirers; business and contractual partners.
  • Purposes of processing and legitimate interests: Feedback (e.g. collecting feedback via online form); marketing; provision of contractual services and fulfilment of contractual obligations; conversion measurement (measuring the effectiveness of marketing measures); provision of our online services and user-friendliness; affiliate tracking.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Review widget: We integrate so-called “review widgets” into our online services. A widget is a functional and content element integrated into our online services that displays changing information. It may, for example, be presented in the form of a seal or comparable element, sometimes also referred to as a “badge”. The corresponding content of the widget is displayed within our online services, but is retrieved at that moment from the servers of the respective widget provider. Only this enables the content to always be displayed up to date, in particular the current rating. For this purpose, a data connection must be established from the webpage accessed within our online services to the widget provider’s server, and the widget provider receives certain technical data (access data, including IP address) required to deliver the widget content to the user’s browser. In addition, the widget provider receives information that users have visited our online services. This information may be stored in a cookie and used by the widget provider to recognise which online services participating in the review procedure have been visited by the user. The information may be stored in a user profile and used for advertising or market research purposes; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).
  • Google Customer Reviews: Service for collecting and/or displaying customer satisfaction and customer opinions; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.google.com/; Privacy policy: https://policies.google.com/privacy; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Further information: When collecting customer reviews, an identification number and the time of the transaction to be reviewed are processed; for review requests sent directly to customers, the customer’s email address, their country of residence and the review information itself are also processed. Further information on types of processing and data processed: https://business.safety.google/adsservices/. Controller terms and Standard Contractual Clauses for international transfers: https://business.safety.google/adscontrollerterms.
  • AirBnB: Letting and booking accommodation, experiences and discoveries; management of reservations; communication between hosts and guests; payment processing; Service provider: Airbnb Ireland UC, 8 Hanover Quay, D02 DP23 Dublin 2, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.airbnb.de; Privacy policy: https://www.airbnb.de/help/article/2855/datenschutzerklärung.
  • Booking.com partner programme: Affiliate marketing partner programme; Service provider: Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, Netherlands; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.booking.com; Privacy policy: https://www.booking.com/content/privacy.de.html.

Presences on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to provide information about us.

Please note that user data may be processed outside the European Union. This may result in risks for users, for example because the enforcement of users’ rights could be made more difficult.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles may be created on the basis of usage behaviour and the resulting interests of users. These user profiles may in turn be used to place advertisements within and outside the networks that are presumed to correspond to users’ interests. For this purpose, cookies are generally stored on users’ devices in which usage behaviour and interests are stored. In addition, data may be stored in user profiles independently of the devices used by users (in particular where users are members of the respective platforms and logged in).

For a detailed description of the respective forms of processing and the possibilities to object (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we also point out that these can be exercised most effectively with the providers. Only the providers have access to users’ data and can take appropriate measures and provide information directly. Should you nevertheless require assistance, you may contact us.

  • Types of data processed: Contact data (e.g. postal and email addresses or telephone numbers); content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Communication; feedback (e.g. collecting feedback via online form); public relations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Further information on processing activities, procedures and services:

  • Instagram: Social network enabling the sharing of photos and videos, commenting and liking posts, sending messages, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Website: https://www.instagram.com; Privacy policy: https://privacycenter.instagram.com/policy/; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF).
  • YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); Privacy policy: https://policies.google.com/privacy; Basis for international transfers: EU/EEA – Data Privacy Framework (DPF); Switzerland – Data Privacy Framework (DPF); Opt-out: https://myadcenter.google.com/personalizationoff.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as “Third-Party Providers”). These may include, for example, graphics, videos or maps (hereinafter collectively referred to as “Content”).

Integration always requires that the Third-Party Providers of this Content process users’ IP addresses, since without the IP address they would not be able to send the Content to the users’ browsers. The IP address is therefore required for the display of this Content or functions. We endeavour to use only such Content whose respective providers use the IP address solely for delivering the Content. Third-Party Providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Pixel tags can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on users’ devices and may include technical information about the browser and operating system, referring websites, time of visit and other information regarding the use of our online services, and may also be linked with such information from other sources.

Information on legal bases: Where we ask users for their consent to the use of Third-Party Providers, the legal basis for processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and user-friendly services). In this context, please also refer to the information on the use of cookies in this Privacy Policy.

  • Types of data processed: Usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); location data (information about the geographical position of a device or person); event data (Facebook) (“Event Data” is information sent to Meta, for example via the Meta Pixel (whether via apps or other channels), and relates to individuals or their actions. This includes, for example, details of website visits, interactions with content and functions, app installations and product purchases. Event Data is processed with the aim of creating audiences for content and advertising messages (“Custom Audiences”). Event Data does not include actual content such as written comments, login information or contact information such as names, email addresses or telephone numbers. Event Data is deleted by Meta after a maximum of two years, and audiences derived from it disappear when our Meta user accounts are deleted).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing and legitimate interests: Provision of our online services and user-friendliness; reach measurement (e.g. access statistics, recognition of returning visitors); tracking (e.g. interest-/behaviour-based profiling, use of cookies); audience building; marketing; provision of contractual services and fulfilment of contractual obligations.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”. Storage of cookies for up to two years (unless otherwise stated, cookies and similar storage methods may be stored on users’ devices for a period of up to two years).
  • Legal bases: Consent (Article 6(1)(a) UK GDPR / EU GDPR); legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR).

Management, Organisation and Auxiliary Tools

We use services, platforms and software from other providers (hereinafter referred to as “Third-Party Providers”) for the purposes of organisation, administration, planning and providing our services. When selecting Third-Party Providers and their services, we comply with statutory requirements.

In this context, personal data may be processed and stored on the servers of the Third-Party Providers. This may include various data that we process in accordance with this Privacy Policy, in particular master data and contact data of users, data relating to processes, contracts and other procedures and their content.

Where users are referred to Third-Party Providers or their software or platforms in the context of communication, business or other relationships with us, the Third-Party Providers may process usage data and metadata for security purposes, service optimisation or marketing purposes. We therefore ask you to observe the privacy notices of the respective Third-Party Providers.

  • Types of data processed: Content data (e.g. textual or visual messages and posts and related information such as authorship or time of creation); usage data (e.g. page views and dwell time, click paths, usage intensity and frequency, device types and operating systems, interactions with content and functions); meta, communication and procedural data (e.g. IP addresses, timestamps, identification numbers, persons involved); contact data (e.g. postal and email addresses or telephone numbers); identity data (e.g. full name, residential address, contact information, customer number, etc.); employee data (information relating to employees and other persons in an employment relationship); payment data (e.g. bank details, invoices, payment history); contractual data (e.g. subject matter of the contract, term, customer category).
  • Data subjects: Communication partners; users (e.g. website visitors, users of online services); business and contractual partners; prospective customers and enquirers; service recipients and clients; employees (e.g. staff members, applicants, temporary staff and other personnel); tenants.
  • Purposes of processing and legitimate interests: Communication; provision of contractual services and fulfilment of contractual obligations; office and organisational procedures; administrative procedures; IT infrastructure (operation and provision of information systems and technical devices such as computers and servers); provision of our online services and user-friendliness; conversion measurement (measuring the effectiveness of marketing measures); marketing; affiliate tracking.
  • Retention and erasure: Erasure in accordance with the section “General Information on Data Retention and Erasure”.
  • Legal bases: Legitimate interests (Article 6(1)(f) UK GDPR / EU GDPR); performance of a contract and pre-contractual enquiries (Article 6(1)(b) UK GDPR / EU GDPR).

Amendment and Updates

We ask you to regularly inform yourself about the content of our Privacy Policy. We will adapt the Privacy Policy as soon as changes to the data processing activities we carry out make this necessary. We will inform you where changes require any action on your part (e.g. consent) or other individual notification.

Where we provide addresses and contact information of companies and organisations in this Privacy Policy, please note that addresses may change over time and we ask you to verify the information before contacting us.

Definitions of Terms

In this section you will find an overview of the terminology used in this Privacy Policy. Where terms are defined by law, their statutory definitions apply. The following explanations are intended primarily to aid understanding.

  • A/B testing: A/B testing is used to improve the user-friendliness and performance of online services. Users are presented with different versions of a webpage or its elements (e.g. input forms), which may differ in the arrangement of content or labelling of navigation elements. Based on user behaviour (e.g. longer dwell time or more frequent interaction), it can then be determined which version better meets users’ needs.
  • Affiliate tracking: In affiliate tracking, links through which referring websites direct users to websites with product or other offers are recorded. Operators of the referring websites may receive a commission if users follow these affiliate links and subsequently take up the offers (e.g. purchase goods or use services). For this purpose, providers must be able to track whether users interested in certain offers subsequently take them up via the affiliate links. Therefore, affiliate links are supplemented with certain values that become part of the link or are stored otherwise (e.g. in a cookie). These values include, in particular, the referring website (referrer), time, an online identifier of the operator of the website on which the affiliate link was located, an online identifier of the respective offer, an online identifier of the user and tracking-specific values such as advertising material ID, partner ID and categorisations.
  • Employees: Employees are persons in an employment relationship, whether as staff members or in similar positions. An employment relationship is a legal relationship between an employer and an employee established by an employment contract or agreement. It includes the employer’s obligation to pay remuneration in return for the employee’s work. Employee data includes all information relating to such persons in the context of their employment (e.g. identification data, payroll and bank data, working hours, leave entitlements, health data and performance assessments).
  • Personal data: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Controller: The “controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: “Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers practically any handling of data, such as collection, evaluation, storage, transmission or deletion.